As implemented, sha1sum would sometimes give the wrong answer.

This fixes it and uses faster sha1 code from Dr. Gladman. -Erik
author: Eric Andersen <andersen@codepoet.org> 2003-07-03 09:41:41 +0000
committer: Eric Andersen <andersen@codepoet.org> 2003-07-03 09:41:41 +0000
commit: 61f6db130e9c2b524d99a34d623c6d05732c6c21 (patch)
tree: ff442de26fd023e892bec6ffa4197b502679a447 /coreutils
parent: a63d09a51772caca2e33b7103d447a06d688bb92 (diff)
download: busybox-61f6db130e9c2b524d99a34d623c6d05732c6c21.tar.gz
1 files changed, 298 insertions, 109 deletions
diff --git a/coreutils/sha1sum.c b/coreutils/sha1sum.c
index 7071fb6b7..1148aac19 100644
--- a/coreutils/sha1sum.c
+++ b/coreutils/sha1sum.c
@@ -1,13 +1,10 @@
 /*
  *  Based on shasum from http://www.netsw.org/crypto/hash/
- *  
- *  shasum fixed with reference to coreutils and the nist fip180-1 document
- *  which is incorrect, in section 5
- *  - ft(B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19)
- *  + ft(B,C,D) = (D XOR (B AND (C XOR D))) ( 0 <= t <= 19)
+ *  Majorly hacked up to use Dr Brian Gladman's sha1 code
  *
  *  Copyright (C) 1999 Scott G. Miller
  *  Copyright (C) 2003 Glenn L. McGrath
+ *  Copyright (C) 2003 Erik Andersen
  * 
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -29,137 +26,325 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
+#include <stdint.h>
 #include <endian.h>
+#include <byteswap.h>
 #include "busybox.h"
 
+
+/*
+ ---------------------------------------------------------------------------
+ Begin Dr. Gladman's sha1 code
+ ---------------------------------------------------------------------------
+*/
+
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+ 
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness 
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 10/11/2002
+
+ This is a byte oriented version of SHA1 that operates on arrays of bytes
+ stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor
+*/
+
+#define SHA1_BLOCK_SIZE  64
+#define SHA1_DIGEST_SIZE 20
+#define SHA1_HASH_SIZE   SHA1_DIGEST_SIZE
+#define SHA2_GOOD        0
+#define SHA2_BAD         1
+
+/* type to hold the SHA1 context  */
+typedef struct
+{   uint32_t count[2];
+    uint32_t hash[5];
+    uint32_t wbuf[16];
+} sha1_ctx;
+
+#define rotl32(x,n) (((x) << n) | ((x) >> (32 - n)))
+
 #if __BYTE_ORDER == __BIG_ENDIAN
-# define SWAP(n) (n)
+# define swap_b32(x) (x)
+#elif defined(bswap_32)
+# define swap_b32(x) bswap_32(x)
 #else
-# define SWAP(n) \
-    (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
+# define swap_b32(x) ((rotl32((x), 8) & 0x00ff00ff) | (rotl32((x), 24) & 0xff00ff00))
 #endif
 
-#define f1(X,Y,Z) (Z ^ (X & (Y ^ Z)))
-#define f2(X,Y,Z) (X ^ Y ^ Z)
-#define f3(X,Y,Z) ((X & Y) | (Z & (X | Y)))
+#define SHA1_MASK   (SHA1_BLOCK_SIZE - 1)
 
-#define rol1(x) (x<<1) | ((x>>31) & 1)
-#define rol5(x) ((x<<5) | ((x>>27) & 0x1f))
-#define rol30(x) (x<<30) | ((x>>2) & 0x3fffffff)
+/* reverse byte order in 32-bit words   */
+#define ch(x,y,z)       (((x) & (y)) ^ (~(x) & (z)))
+#define parity(x,y,z)   ((x) ^ (y) ^ (z))
+#define maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
 
-static void sha_hash(unsigned int *data, int *hash)
+/* A normal version as set out in the FIPS. This version uses   */
+/* partial loop unrolling and is optimised for the Pentium 4    */
+#define rnd(f,k)    \
+    t = a; a = rotl32(a,5) + f(b,c,d) + e + k + w[i]; \
+    e = d; d = c; c = rotl32(b, 30); b = t
+
+void sha1_compile(sha1_ctx ctx[1])
 {
-	RESERVE_CONFIG_BUFFER(word, 80 * sizeof(unsigned int));
-	int *W = (unsigned int *) &word;
-	int a = hash[0];
-	int b = hash[1];
-	int c = hash[2];
-	int d = hash[3];
-	int e = hash[4];
-	int t;
-	int TEMP;
-
-	for (t = 0; t < 16; t++) {
-		W[t] = SWAP(data[t]);
-	}
+    uint32_t    w[80], i, a, b, c, d, e, t;
+
+    /* note that words are compiled from the buffer into 32-bit */
+    /* words in big-endian order so an order reversal is needed */
+    /* here on little endian machines                           */
+    for(i = 0; i < SHA1_BLOCK_SIZE / 4; ++i)
+        w[i] = swap_b32(ctx->wbuf[i]);
+
+    for(i = SHA1_BLOCK_SIZE / 4; i < 80; ++i)
+        w[i] = rotl32(w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16], 1);
+
+    a = ctx->hash[0];
+    b = ctx->hash[1];
+    c = ctx->hash[2];
+    d = ctx->hash[3];
+    e = ctx->hash[4];
+
+    for(i = 0; i < 20; ++i)
+    {
+        rnd(ch, 0x5a827999);    
+    }
+
+    for(i = 20; i < 40; ++i)
+    {
+        rnd(parity, 0x6ed9eba1);
+    }
+
+    for(i = 40; i < 60; ++i)
+    {
+        rnd(maj, 0x8f1bbcdc);
+    }
+
+    for(i = 60; i < 80; ++i)
+    {
+        rnd(parity, 0xca62c1d6);
+    }
+
+    ctx->hash[0] += a; 
+    ctx->hash[1] += b; 
+    ctx->hash[2] += c; 
+    ctx->hash[3] += d; 
+    ctx->hash[4] += e;
+}
 
-	/** Data expansion from 16 to 80 blocks **/
-	for (t = 16; t < 80; t++) {
-		int x = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
-		W[t] = rol1(x);
-	}
+void sha1_begin(sha1_ctx ctx[1])
+{
+    ctx->count[0] = ctx->count[1] = 0;
+    ctx->hash[0] = 0x67452301;
+    ctx->hash[1] = 0xefcdab89;
+    ctx->hash[2] = 0x98badcfe;
+    ctx->hash[3] = 0x10325476;
+    ctx->hash[4] = 0xc3d2e1f0;
+}
 
-	/** Main loops **/
-	for (t = 0; t < 20; t++) {
-		TEMP = rol5(a) + f1(b, c, d) + e + W[t] + 0x5a827999;
-		e = d;
-		d = c;
-		c = rol30(b);
-		b = a;
-		a = TEMP;
-	}
-	for (; t < 40; t++) {
-		TEMP = rol5(a) + f2(b, c, d) + e + W[t] + 0x6ed9eba1;
-		e = d;
-		d = c;
-		c = rol30(b);
-		b = a;
-		a = TEMP;
-	}
-	for (; t < 60; t++) {
-		TEMP = rol5(a) + f3(b, c, d) + e + W[t] + 0x8f1bbcdc;
-		e = d;
-		d = c;
-		c = rol30(b);
-		b = a;
-		a = TEMP;
-	}
-	for (; t < 80; t++) {
-		TEMP = rol5(a) + f2(b, c, d) + e + W[t] + 0xca62c1d6;
-		e = d;
-		d = c;
-		c = rol30(b);
-		b = a;
-		a = TEMP;
-	}
+/* SHA1 hash data in an array of bytes into hash buffer and call the        */
+/* hash_compile function as required.                                       */
+void sha1_hash(const unsigned char data[], unsigned int len, sha1_ctx ctx[1])
+{
+    uint32_t pos = (uint32_t)(ctx->count[0] & SHA1_MASK), 
+            freeb = SHA1_BLOCK_SIZE - pos;
+    const unsigned char *sp = data;
+
+    if((ctx->count[0] += len) < len)
+        ++(ctx->count[1]);
 
-	RELEASE_CONFIG_BUFFER(word);
+    while(len >= freeb)     /* tranfer whole blocks while possible  */
+    {
+        memcpy(((unsigned char*)ctx->wbuf) + pos, sp, freeb);
+        sp += freeb; len -= freeb; freeb = SHA1_BLOCK_SIZE; pos = 0; 
+        sha1_compile(ctx);
+    }
 
-	hash[0] += a;
-	hash[1] += b;
-	hash[2] += c;
-	hash[3] += d;
-	hash[4] += e;
+    memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
 }
 
-static char sha1sum_stream(FILE *fd, unsigned int *hashval)
+/* SHA1 Final padding and digest calculation  */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+static uint32_t  mask[4] = 
+	{   0x00000000, 0x000000ff, 0x0000ffff, 0x00ffffff };
+static uint32_t  bits[4] = 
+	{   0x00000080, 0x00008000, 0x00800000, 0x80000000 };
+#else
+static uint32_t  mask[4] = 
+	{   0x00000000, 0xff000000, 0xffff0000, 0xffffff00 };
+static uint32_t  bits[4] = 
+	{   0x80000000, 0x00800000, 0x00008000, 0x00000080 };
+#endif
+
+void sha1_end(unsigned char hval[], sha1_ctx ctx[1])
 {
-	RESERVE_CONFIG_BUFFER(buffer, 64);
-	int length = 0;
-
-	hashval[0] = 0x67452301;
-	hashval[1] = 0xefcdab89;
-	hashval[2] = 0x98badcfe;
-	hashval[3] = 0x10325476;
-	hashval[4] = 0xc3d2e1f0;
-
-	while (!feof(fd) && !ferror(fd)) {
-		int c = fread(&buffer, 1, 64, fd);
-		length += c;
-		if (feof(fd) || ferror(fd)) {
-			int i;
-			for (i = c; i < 61; i++) {
-				if (i == c) {
-					buffer[i] = 0x80;
-				}
-				else if (i == 60) {
-					/* This ends up being swaped twice */
-					((unsigned int *) &buffer)[15] = SWAP(length * 8);
-				} else {
-					buffer[i] = 0;
-				}
-			}
+    uint32_t    i, cnt = (uint32_t)(ctx->count[0] & SHA1_MASK);
+
+    /* mask out the rest of any partial 32-bit word and then set    */
+    /* the next byte to 0x80. On big-endian machines any bytes in   */
+    /* the buffer will be at the top end of 32 bit words, on little */
+    /* endian machines they will be at the bottom. Hence the AND    */
+    /* and OR masks above are reversed for little endian systems    */
+    ctx->wbuf[cnt >> 2] = (ctx->wbuf[cnt >> 2] & mask[cnt & 3]) | bits[cnt & 3];
+
+    /* we need 9 or more empty positions, one for the padding byte  */
+    /* (above) and eight for the length count.  If there is not     */
+    /* enough space pad and empty the buffer                        */
+    if(cnt > SHA1_BLOCK_SIZE - 9)
+    {
+        if(cnt < 60) ctx->wbuf[15] = 0;
+        sha1_compile(ctx);
+        cnt = 0;
+    }
+    else    /* compute a word index for the empty buffer positions  */
+        cnt = (cnt >> 2) + 1;
+
+    while(cnt < 14) /* and zero pad all but last two positions      */ 
+        ctx->wbuf[cnt++] = 0;
+    
+    /* assemble the eight byte counter in the buffer in big-endian  */
+    /* format                                                       */
+
+    ctx->wbuf[14] = swap_b32((ctx->count[1] << 3) | (ctx->count[0] >> 29));
+    ctx->wbuf[15] = swap_b32(ctx->count[0] << 3);
+
+    sha1_compile(ctx);
+
+    /* extract the hash value as bytes in case the hash buffer is   */
+    /* misaligned for 32-bit words                                  */
+
+    for(i = 0; i < SHA1_DIGEST_SIZE; ++i)
+        hval[i] = (unsigned char)(ctx->hash[i >> 2] >> 8 * (~i & 3));
+}
+
+#if 0
+void sha1(unsigned char hval[], const unsigned char data[], unsigned int len)
+{   sha1_ctx    cx[1];
+
+    sha1_begin(cx); sha1_hash(data, len, cx); sha1_end(hval, cx);
+}
+#endif
+
+/*
+ ---------------------------------------------------------------------------
+ End of Dr. Gladman's sha1 code
+ ---------------------------------------------------------------------------
+*/
+
+/* Using a larger blocksize can make things _much_ faster
+ * by avoiding a zillion tiny little reads */
+#define BLOCKSIZE 65536
+/* Ensure that BLOCKSIZE is a multiple of 64.  */
+#if BLOCKSIZE % SHA1_BLOCK_SIZE != 0
+# error "BLOCKSIZE not a multiple of 64"
+#endif
+
+static int sha1sum_stream(FILE *stream, unsigned char *hashval)
+{
+    int result = 0;
+    sha1_ctx cx[1];
+    size_t sum, n;
+    RESERVE_CONFIG_BUFFER(buffer, BLOCKSIZE + 72);
+
+    /* Initialize the computation context.  */
+    sha1_begin(cx);
+
+    /* Iterate over full file contents.  */
+    while (1) 
+    {
+	/* We read the file in blocks of BLOCKSIZE bytes.  One call of the
+	   computation function processes the whole buffer so that with the
+	   next round of the loop another block can be read.  */
+	sum = 0;
+
+	/* Read block.  Take care for partial reads.  */
+	while (1)
+	{
+	    n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
+	    sum += n;
+
+	    if (sum == BLOCKSIZE)
+		break;
+
+	    if (n == 0) {
+		/* Check for the error flag IFF N == 0, so that we don't
+		   exit the loop after a partial read due to e.g., EAGAIN
+		   or EWOULDBLOCK.  */
+		if (feof (stream)) {
+		    sum = 0;
+		    goto process_partial_block;
+		}
+		if (ferror (stream)) {
+		    result++;
+		    goto all_done;
 		}
-		sha_hash((unsigned int *) &buffer, hashval);
+		goto process_partial_block;
+	    }
+
+	    /* We've read at least one byte, so ignore errors.  But always
+	       check for EOF, since feof may be true even though N > 0.
+	       Otherwise, we could end up calling fread after EOF.  */
+	    if (feof (stream))
+		goto process_partial_block;
 	}
 
-	RELEASE_CONFIG_BUFFER(buffer);
+	/* Process buffer */
+	sha1_hash(buffer, BLOCKSIZE, cx);
+    }
+
+process_partial_block:
+
+    /* Process any remaining bytes.  */
+    if (sum > 0)
+	sha1_hash(buffer, sum, cx);
+
+    /* Finalize and write the hash into our buffer.  */
+    sha1_end(hashval, cx);
+
+all_done:
 
-	return(EXIT_SUCCESS);
+    RELEASE_CONFIG_BUFFER(buffer);
+    return result;
 }
 
 #define FLAG_SILENT	1
 #define FLAG_CHECK	2
 #define FLAG_WARN	4
 
-static unsigned char *hash_bin_to_hex(unsigned int *hash_value, unsigned char hash_length)
+static unsigned char *hash_bin_to_hex(unsigned char *hash_value, unsigned char hash_length)
 {
-	unsigned char x;
+	int x, len, max;
 	unsigned char *hex_value;
 
-	hex_value = xmalloc(hash_length * 8);
-	for (x = 0; x < hash_length; x++) {
-		sprintf(&hex_value[x * 8], "%08x", hash_value[x]);
+	max = (hash_length * 2) + 2;
+	hex_value = xmalloc(max);
+	for (x = len = 0; x < hash_length; x++) {
+	    len += snprintf(hex_value+len, max-len, "%02x", hash_value[x]);
 	}
 	return(hex_value);
 }
@@ -178,9 +363,11 @@ FILE *wfopen_file_or_stdin(const char *file_ptr)
 }
 
 /* This could become a common function for md5 as well, by using md5_stream */
-extern int authenticate(int argc, char **argv, char (*hash_ptr)(FILE *stream, unsigned int *hashval), const unsigned char hash_length)
+extern int authenticate(int argc, char **argv, 
+	int (*hash_ptr)(FILE *stream, unsigned char *hashval), 
+	const unsigned char hash_length)
 {
-	unsigned int hash_value[hash_length];
+	unsigned char hash_value[hash_length];
 	unsigned int flags;
 	int return_value = EXIT_SUCCESS;
 
@@ -245,6 +432,7 @@ extern int authenticate(int argc, char **argv, char (*hash_ptr)(FILE *stream, un
 			line_ptr++;
 			stream = bb_wfopen(line_ptr, "r");
 			if (hash_ptr(stream, hash_value) == EXIT_FAILURE) {
+				bb_perror_msg("%s", file_ptr);
 				return_value = EXIT_FAILURE;
 			}
 			if (fclose(stream) == EOF) {
@@ -280,6 +468,7 @@ extern int authenticate(int argc, char **argv, char (*hash_ptr)(FILE *stream, un
 				continue;
 			}
 			if (hash_ptr(stream, hash_value) == EXIT_FAILURE) {
+				bb_perror_msg("%s", file_ptr);
 				return_value = EXIT_FAILURE;
 			}
 			else if (!flags & FLAG_SILENT) {
@@ -299,5 +488,5 @@ extern int authenticate(int argc, char **argv, char (*hash_ptr)(FILE *stream, un
 
 extern int sha1sum_main(int argc, char **argv)
 {
-	return (authenticate(argc, argv, sha1sum_stream, 5));
+	return (authenticate(argc, argv, sha1sum_stream, SHA1_HASH_SIZE));
 }
author	Eric Andersen <andersen@codepoet.org>	2003-07-03 09:41:41 +0000
committer	Eric Andersen <andersen@codepoet.org>	2003-07-03 09:41:41 +0000
commit	61f6db130e9c2b524d99a34d623c6d05732c6c21 (patch)
tree	ff442de26fd023e892bec6ffa4197b502679a447 /coreutils
parent	a63d09a51772caca2e33b7103d447a06d688bb92 (diff)
download	busybox-61f6db130e9c2b524d99a34d623c6d05732c6c21.tar.gz